我创建了一个使用组织许可证销售的加载项。
我在加载项上实现了身份验证方案。我目前要求User.Read
范围确保使用和Azure v2端点进行身份验证。要获取我查询的用户信息
https://graph.microsoft.com/v1.0/me
要正确测试用户的许可证,我需要提取用户的组织标识。但是,我从Grah请求收到的用户信息可以递增。对于AAD帐户,架构类似于:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
businessPhones: [],
displayName: "FirstName LastName",
givenName: "FirstName",
id: "unique-id",
jobTitle: null,
mail: "First.LastName@COMPANYDOMAIN.COM",
mobilePhone: null,
officeLocation: null,
preferredLanguage: null,
surname: "LastName",
userPrincipalName: "FILastName@COMPANYDOMAIN.COM"
}
如果我使用
https://graph.microsoft.com/BETA/me
我获得了更多信息,但没有任何可以帮助我确定用户组织中唯一ID的信息。
我需要使用不同的范围来获取用户组织的信息吗?如果没有,我可以依靠从用户的电子邮件中解析域名作为用户组织的唯一ID吗?我是否需要查询其他API?
如果有帮助,在用户使用AD进行身份验证后,我会收到以下响应:
{
access_token: "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEWDhHQ2k2SnM2U0s4MlRzRDJQYjdyN1VLTzdJSDJSLWpTcmpScU9..."
expires_at: Fri May 18 2018 07: 18: 42 GMT - 0400(Eastern Daylight Time) {}
expires_in: "3599"
provider: "Microsoft"
scope: "https://graph.microsoft.com/User.Read"
session_state: "012f4565-31bb-..."
state: "259309..."
token_type: "Bearer"
}
https://graph.microsoft.com/BETA/me
{
@odata.context: "https://graph.microsoft.com/beta/$metadata#users/$entity",
accountEnabled: true,
ageGroup: null,
assignedLicenses: [],
assignedPlans: [],
businessPhones: [],
city: null,
companyName: null,
consentProvidedForMinor: null,
country: null,
deletedDateTime: null,
department: null,
deviceKeys: [],
displayName: "FirstName LastName",
employeeId: null,
givenName: "FirstName",
id: "ebdcf715-43c5-4f48-ad0d-b798a3330849",
imAddresses: [],
jobTitle: null,
legalAgeGroupClassification: null,
mail: "FirstName.LastName@COMPANYDOMAIN.COM",
mailNickname: "FirstName.LastName",
mobilePhone: null,
officeLocation: null,
onPremisesDomainName: "COMPANYDOMAIN.COM",
onPremisesExtensionAttributes: {
…
},
onPremisesImmutableId: "...RVWAty...",
onPremisesLastSyncDateTime: "2018-05-10T18:13:45Z",
onPremisesProvisioningErrors: [],
onPremisesSamAccountName: "FILastName",
onPremisesSecurityIdentifier: "...-21-1412366426-...",
onPremisesSyncEnabled: true,
onPremisesUserPrincipalName: "FILastName@COMPANYDOMAIN.COM",
passwordPolicies: "DisablePasswordExpiration",
passwordProfile: null,
postalCode: null,
preferredDataLocation: null,
preferredLanguage: null,
provisionedPlans: [],
proxyAddresses: [],
refreshTokensValidFromDateTime: "2018-05-10T17:54:45Z",
showInAddressList: null,
state: null,
streetAddress: null,
surname: "LastName",
usageLocation: "US",
userPrincipalName: "FILastName@COMPANYDOMAIN.COM",
userType: "Member"
}
access_token
{
"typ": "",
"nonce": "",
"alg": "",
"x5t": "",
"kid": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk"
}.{
"aud": "",
"iss": "",
"iat": "",
"nbf": "",
"exp": "",
"acr": "",
"aio": "",
"amr": [
"pwd"
],
"app_displayname": "",
"appid": "",
"appidacr": "",
"family_name": "",
"given_name": "",
"ipaddr": "",
"name": "",
"oid": "",
"onprem_sid": "",
"platf": "",
"puid": "",
"scp": "",
"sub": "",
"tid": "",
"unique_name": "",
"upn": "",
"uti": "",
"ver": "1.0"
}.[Signature]
答案 0 :(得分:6)
答案 1 :(得分:3)
如果没有其他工作,您可以解码访问令牌并获得tid
声明。这是Azure AD租户的ID。
您可以在此处找到令牌中的声明文档:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims
例如,以下是tid
的内容:
不可变的,不可重用的标识符,用于标识颁发令牌的目录租户。您可以使用此值访问多租户应用程序中特定于租户的目录资源。例如,您可以使用此值来识别对Graph API的调用中的租户。
答案 2 :(得分:1)
现在,这可能不是直接使用图形API,而是使获取组织的租户ID非常简单。只需对“ https://login.microsoftonline.com/ {您的域名} /。众所周知的/ openid-配置”执行一次GET。返回的结构将具有租户ID。在浏览器中尝试以下网址,例如:https://login.microsoftonline.com/microsoft.com/.well-known/openid-configuration。